public-health-ch/ansible/roles/dev-sec.ssh-hardening/tests/default_custom.yml

139 lines
3.9 KiB
YAML

---
- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with custom settings
hosts: localhost
pre_tasks:
- name: use python3
set_fact:
ansible_python_interpreter: /usr/bin/python3
when: ansible_facts.distribution == 'Fedora'
- yum:
name:
- openssh-clients
- openssh-server
- libselinux-python
state: present
update_cache: true
ignore_errors: true
- dnf:
name:
- openssh-clients
- openssh-server
- procps-ng
state: present
update_cache: true
ignore_errors: true
- apt:
name:
- openssh-client
- openssh-server
state: present
update_cache: true
ignore_errors: true
- file:
path: "/var/run/sshd"
state: directory
- pacman:
name:
- "openssh"
- "awk"
state: present
update_cache: true
ignore_errors: true
- name: create ssh host keys
command: "ssh-keygen -A"
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
ansible_facts.distribution == "Fedora" or
ansible_facts.distribution == "Amazon"
roles:
- ansible-ssh-hardening
vars:
network_ipv6_enable: true
ssh_allow_tcp_forwarding: 'yes'
ssh_gateway_ports: true
ssh_allow_agent_forwarding: true
ssh_server_permit_environment_vars: 'yes'
ssh_server_accept_env_vars: 'PWD HTTP_PROXY'
ssh_client_alive_interval: 100
ssh_client_alive_count: 10
ssh_client_password_login: true
ssh_challengeresponseauthentication: true
ssh_compression: true
ssh_allow_users: 'root kitchen vagrant'
ssh_allow_groups: 'root kitchen vagrant'
ssh_deny_users: 'foo bar'
ssh_deny_groups: 'foo bar'
ssh_authorized_keys_file: '/etc/ssh/authorized_keys/%u'
ssh_max_auth_retries: 10
ssh_permit_root_login: "without-password"
ssh_permit_tunnel: true
ssh_print_motd: true
ssh_print_last_log: true
ssh_banner: true
ssh_server_password_login: true
sftp_enabled: true
sftp_chroot: true
#ssh_server_enabled: false
ssh_server_ports:
- 22
- 222
ssh_server_match_address:
- address: '192.168.1.1/24'
rules:
- 'AllowTcpForwarding yes'
- 'AllowAgentForwarding no'
ssh_server_match_group:
- group: 'root'
rules:
- 'AllowTcpForwarding yes'
- 'AllowAgentForwarding no'
ssh_server_match_user:
- user: 'root'
rules:
- 'AllowTcpForwarding yes'
- 'AllowAgentForwarding no'
ssh_server_match_local_port:
- port: 222
rules:
- 'AllowTcpForwarding yes'
- 'AllowAgentForwarding no'
ssh_remote_hosts:
- names: ['example.com', 'example2.com']
options: ['Port 2222', 'ForwardAgent yes']
- names: ['example3.com']
options: ['StrictHostKeyChecking no']
ssh_use_dns: true
ssh_use_pam: true
ssh_max_startups: '10:30:60'
ssh_trusted_user_ca_keys_file: '/etc/ssh/ca.pub'
ssh_trusted_user_ca_keys:
- '# ssh-rsa ...'
ssh_authorized_principals_file: '/etc/ssh/auth_principals/%u'
ssh_authorized_principals:
- { path: '/etc/ssh/auth_principals/root', principals: [ 'root' ], owner: "{{ ssh_owner }}", group: "{{ ssh_group }}", directoryowner: "{{ ssh_owner }}", directorygroup: "{{ ssh_group}}" }
ssh_host_key_algorithms:
- ssh-ed25519
- rsa-sha2-512
- rsa-sha2-256
- ssh-rsa
ssh_macs:
- hmac-sha2-512
- hmac-sha2-256
ssh_ciphers:
- aes256-ctr
- aes192-ctr
- aes128-ctr
- aes256-cbc
ssh_kex:
- diffie-hellman-group-exchange-sha256
- diffie-hellman-group-exchange-sha1
ssh_custom_options:
- "Include /etc/ssh/ssh_config.d/*"
sshd_custom_options:
- "AcceptEnv LANG"